Add flag for disabling babel-preprocessing in nodejs-scan SAST analyzer
Problem to solve
There are many arguments to be made for our scanners failing due to invalid syntax which are being discussed within #7102 (closed), however to enable usage of our scanners more generally we should explore modifying the precompilation step to make it optional.
Alternatives to babel
We should additionally explore alternative tools to babel in order to strip comments, perhaps some that do not require valid syntax, such as https://www.npmjs.com/package/strip-comments. This exploration should take into account performance indicators and efficacy compared to the current approach.
Babel requires ongoing maintenance and frequent updates in order to support new backfills and presets; i.e.
ECMA 2019 syntax is not yet supported. If we can find a simpler tool for stripping comments it could be significantly easier to maintain.
ENVvariable for disabling preprocessing steps for analyzers/nodejs-scan
- Retain default preprocessing behavior
- Explore less strict alternatives to babel for stripping comments
Permissions and Security
No change to permissions/security
Document new ENV variable for disabling comment stripping
- Add new test project with invalid JS syntax that allows ~sast scans
nodejs-scanshould pass on
gitlab-org/gitlab, see recent issue release-tools!721 (merged)
What does success look like, and how can we measure that?
- User should be able to bypass preprocessing
- Scanner should strip comments without requiring valid syntax (if alternative to babel is found)